Topic:

see all

    

What Banks Need to Know About the AICPA Cyber SOC

Aug 23, 2017 11:30:00 AM |

Ann Cleland

Social Share:

SOC-816593-edited.jpgFor organizations of every kind, data breach incidents are "when"—not "if" events. Especially for business entities (like banks) that manage clients’ private information, building vigilance against threat actors, unintentional compromises, and other cyber vulnerabilities is as much a part of risk management as instituting compliance measures. But understanding how to spot weaknesses, build transparency, and engage checks and balances demands a new level of focus and capability for many banks.

This summer, the AICPA issued its much-anticipated standard on cybersecurity. Their System and Organization Controls (Cyber SOC) is new guidance that CPAs can use to standardize a process for reviewing and reporting on cybersecurity.

How the AICPA Cyber SOC Changes Risk Management

Organizations historically have relied on outside consultants and internal resources to spot and mitigate cyber risks. The Cyber SOC fundamentally changes how cyber threats are evaluated and managed. It allows for an independent, objective look at an organization’s processes, policies, and controls around cyber risks. 

Particularly for Boards of Directors, the new standard offers a necessary higher level of sophistication around understanding cyber risk, which is constantly evolving and demanding greater oversight and agility than may be in place. The Cyber SOC also provides a more consistent benchmark of a business’ cybersecurity. The standard uses the same framework of management description of controls, control objective and control testing used in Service Organization Control Reporting (now renamed System and Organization Control Reporting).

Financial institutions no doubt will need to rely on this new report to evaluating businesses for loans and other forms of financing. Additionally, the report offers a framework through which leaders can assess the ability of a contractor to protect confidential information the institution may share for processing. The AICPA expects the report will become a standard resource for anyone considering the creditworthiness of a business seeking capital.

As with previous SOC reports, the Cyber SOC framework allows for a readiness assessment that can be used as a dry run for the formal SOC engagement. In the readiness assessment, the CPA benchmarks the organization’s current cyber control framework against the Cyber SOC control objectives. This benchmarking allows for the identification of gaps in the cyber control environment that can then be remediated. 

Once your team has performed a readiness assessment and mitigated all gaps, you can engage a SOC review. It will test each cyber control, alleviating concern about the robustness and operating effectiveness of the cyber controls. A report summarizing the controls, testing and results should then be provided to the Board as part of their oversight responsibilities.

The Cyber SOC is one of the next generation services from the AICPA. It’s incredibly valuable for organizations, and just as important to their Board members in identifying and managing cyber risks. 

 Join the conversation and receive updates of new posts:

Subscribe to the Banking Blog

THIS POST WAS WRITTEN BY Ann Cleland

Ann is a partner at HORNE Cyber where she oversees all aspects of cyber assurance services. Ann’s depth of knowledge in assurance covers service to a variety of clients in both external and internal audit capacities including governmental A-133 audits; and in industries as diverse as real estate, healthcare, nonprofit, retail and manufacturing.

Find me on: